Also, a quick question: We are considering including the news section details and links on our website, and using our Tips message to point to the News section to make the Tips shorter, and also to avoid spam filters mistakenly blocking the Tips. What do you think? Let us know!

Dell made an announcement in May about a vulnerability found in a driver released for a firmware update. We recommend following Dell's directions (found here) to install the fix. The solution will search for the vulnerable file on your system and delete only that file without changing or deleting any of your other files or data.

If you prefer to fix the vulnerability yourself, you download the patch directly from Dell.

If you still have questions, contact your cybersecurity department to ask for help. With so many people working from home (WFH) and using their own personal computing devices, many organizations are offering assistance to help WFH employees with these types of tech issues.

Nextdoor has dramatically changed its policies, including its soon-to-be-released privacy policy. Our team has not yet been through the changes in-depth, but we plan to and will report our findings in the July Tips. In the meantime, here are two significant red flags to note:

Recommendations:

This great question could take a full week’s class to discuss! The high-level answer is the need to understand the context for each situation considered. Determining whether an organization has complied with privacy laws requires thorough and expert consideration of a variety of factors. To achieve optimal compliance in one situation within its own unique context can require a completely different set of actions than another, even seemingly similar, situation.

This is an issue that is often overlooked. The answers for how to comply with most privacy laws are typically not consistently the same nor definitive for everyone and all situations. They typically depend on consideration of each unique situation and factors associated with the context. Too many lawyers, consultants, IT pros, business leaders and others mistakenly believe or tell others that doing a specific action is always against a particular law. They also commonly advise that doing something else is always in compliance with a particular law. However, when considering the vast range of contexts within which privacy laws must be implemented, as well as the complexities of our data ecosystems, the answers often differ from situation to situation.

Sometimes they differ a little; sometimes quite a lot!

Yes, you do; you must protect and use the personal data of your workers in the EU in accordance with GDPR requirements. The EU General Data Protection Regulation (GDPR) aims to protect the personal data of EU residents by requiring a broad set of data privacy and security requirements. GDPR applies to any employer that processes and holds personal data for workers who live in the EU, including US-based businesses that have one or more employees or contracted workers in the EU.

Here are two additional things to consider:

For more, check out the recording of a May 26 IT GRC Forum webinar on GDPR Rebecca participated in.

ExpressVPN and Surfshark are Rebecca's recommendations, mainly for ease of use and security. Others may choose differently. She notes there are many good options, including most of those that come with the system.

McAfee's monthly tips are excellent for consumer awareness. Does your anti-malware tool provide similar? Let us know!

Jennifer Bayuk wrote the informative article, “Have Your Friends Asked you About Blockchain and Cryptocurrency?” An excerpt: “Blockchain is a technology that is used in multiple business applications, mostly financial, to keep track of business transactions and hold people accountable for changes to information. It creates a very hard to reproduce number for every change made to a multi-level transaction so it is possible to show with high probability that a given person or company authorized a change to data. It can be used to verify the integrity of any process wherein multiple parties participate in a step-by-step process and need incremental evidence to agree upon the outcome.” We recommend you check it out if you are interested in this topic.

The US Cybersecurity & Infrastructure Agency (CISA) created free phishing exercises and pen testing services. Great for your awareness and risk management activities.

The Carnegie Mellon University (CMU) Security and Privacy Institute CyLab developed a new privacy tool providing guidance for designing privacy choices.

The Wall Street Journal provided great information on How to Back Up All the Photos on Your Phone. When Google Photos' free storage ends June 1, users may want to upgrade to a paid plan. The article details cloud photo-backup options.

Google announced plans to double its artificial intelligence (AI) ethics research staff. The reported changes will boost the operating budget of team, which is tasked with evaluating code and products to avert discrimination and other problems. AI can offer benefits, like strengthening data and cyber security and privacy protections. However, if used inappropriately or with poorly constructed algorithms, it can cause significant data and cyber security incidents and privacy harms. We’ll be watching to see if Google follows through and what actions come about as a result.

44 US States & Territories signed a letter urging Facebook to abandon its plan for a children’s version of Instagram. Officials warned the platform could harm kids in many ways, including those that violate privacy and cause long-lasting harm. Curious about the 10 state AGs who did not sign their support for this initiative? Here they are: Alabama, Arizona, Arkansas, Colorado, Florida, Georgia, Indiana, North Dakota, Pennsylvania and West Virginia. Why didn't they sign? Ask them if you get a chance. Here’s the letter and an article about this initiative.

Android provided security features to prevent apps from tracking users' data.

Wired published an article describing how to remove default apps you never use from your phone. “Even the best phones come with bloatware, preinstalled apps that take up precious storage space.” Not only do they take up storage space, they also typically send data, including personal data, from your phone to a wide range of third parties…many of whom you may not want to have your private information.

PC Gamer pointed out the following: Windows 10 has a built-in ransomware block. Users simply need to enable it. “Turns out there is a mechanism in Windows Defender that can protect your files from ransomware.” NOTE: You must still be vigilant in not falling for social engineering tactics that could load ransomware into other parts of your system, via apps on your phone, etc.

*Privacy Beacons do not necessarily indicate an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.

• Facebook Loses Bid to Block Ruling on EU-U.S. Data Flows. Company fails to block a privacy decision that could suspend its ability to send information about European users to US.

• Sweden: Privacy Protection Authority Finds Police Use of Facial Recognition Illegal, Issues Fines

• Russian Federation: New Amendments Establish Rules for Collecting and Disseminating Personal Data

• Japan’s Rikunabi Scandal Shows The Dangers of Privacy Law Loopholes

• Clinical Laboratory Pays $25,000 to Settle Potential HIPAA Security Rule Violations. OCR’s investigation found systemic noncompliance with the HIPAA Security Rule, including failures to conduct an enterprise-wide risk analysis, implement risk management and audit controls and maintain documentation of HIPAA Security Rule policies and procedures.

• Three years of GDPR: the biggest fines so far. Organizations that have received the largest fines include: 1) Google; 2) H&M; 3) Tim - Telecom Italia; 4) British Airways; and 5) Marriott International Hotels

• Clearview AI hit with sweeping legal complaints over controversial face scraping in Europe. The privacy watchdogs believe Clearview’s image-scraping methods violate European laws.

• NYC Council passes Tenant Data Privacy Act. Measure restricts how landlords use data from keyless entry systems.

• WhatsApp sues Indian government over new privacy rules – sources. The case asks the Delhi High Court to declare that one of the new IT rules is a violation of privacy rights in India's constitution since it requires social media companies to identify the "first originator of information" when authorities demand it.

• A data breach at Peloton exposed all of its users. An unprotected server revealed a fake Amazon reviews scam. An issue with Britain's NHS website exposed citizens' Covid-19 vaccination status.

• Air India passenger data breach reveals SITA hack worse than first thought. Air India said this week that personal data of about 4.5 million passengers had been compromised following the incident at SITA, Indian flag carrier airline’s data processor. The stolen information included passengers’ names, credit card details, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data.

• Canada Post reports data breach to 44 large businesses, 950K customers affected. A malware attack on one of Canada Post’s suppliers has caused a data breach affecting 44 of the company’s large business clients and their 950,000 receiving customers.

• They Told Their Therapists Everything. Hackers Leaked It All. A mental health startup built its business on easy-to-use technology. Patients joined in droves. Then came a catastrophic data breach.

• University of California data breach: Sensitive information of staff, students leaked. On December 24, 2020, UC’s Accellion FTA was the target of an international attack, where perpetrators exploited a vulnerability in the application. Over 100 organizations were similarly attacked, including universities, government agencies and private companies. In connection with the attack, certain UC data was accessed without authorization.

• 51% of organizations have experienced a data breach caused by a third-party. A new report titled “A Crisis in Third-party Remote Access Security”, revealing the alarming disconnect between an organization’s perceived third-party access threat and the security measures it employs. Findings revealed that organizations are not taking the necessary steps to reduce third-party remote access risk and are exposing their networks to security and non-compliance risks. As a result, 44% of organizations have experienced a breach within the last 12 months, with 74% saying it was the result of giving too much privileged access to third-parties.

• Audio maker Bose discloses data breach after ransomware attack. While investigating the ransomware's attack impact on its network, the audio maker discovered that some of its current and former employees' personal information was accessed by the attackers.

• A new trick from identity thieves. An excerpt: “Starting with a name, address and little more, scammers can 'extract more detailed information, such as driver's license numbers,' thanks to the auto-fill features intended to make it easier to apply for a policy on many car insurance websites. From there, it's a short jump to submitting a fake unemployment claim, which was what happened to us." This is not new! It has been going on for years because it is being used so much more often.

• Kansas identity theft reports up 1,802% last year; highest rate in the US. Identity theft swelled nationwide during the coronavirus pandemic, but Kansas’ 1,802% year-over-year increase is the highest of any state, according to a new report based on data from the FTC’s Consumer Sentinel Network. The next-highest state, Rhode Island, saw an increase of 1,002%.

• Anthony 'Rumble' Johnson charged with identity theft day after win at Bellator 258. Johnson was arrested at the Mohegan Sun Casino and later released on $500 bail. Johnson had allegedly used someone else’s credit card without permission in 2019 to purchase a plane ticket to Fort Lauderdale, Florida. The police obtained a warrant and arrested Johnson at Mohegan Sun Casino in Uncasville one night after he'd defeated Jose Augusto in the second round of their Bellator 258 clash.

• Monett, Missouri pharmacy owner and Pharmacist indicted on Medicaid fraud, forgery, identity theft. The owner and a pharmacy technician of Old Town Pharmacy LLC were both indicted on 34 total counts. defendants forged several Medicaid recipients’ prescriptions, knowingly used MO HealthNet DCN numbers for six Medicaid recipients to appropriate approximately $25,000 from MO HealthNet, and made false statements to MO HealthNet to receive a payment of approximately $25,000.

• Online Identity Theft and the Impact on Your Job Prospects. A study picked up by CNBC claimed that nearly 14% of people who were victims of identity theft experienced problems when applying for a job (8.5% claimed it cost them the job opportunity). A further 32% (from a 2017 study) reported problems within their current role.

• Tarrant County officials warn that unemployment benefit identity theft is on the rise. It involves people filing for unemployment benefits using someone else's personal information. People are advised to document everything if they become a victim of identity theft and notify the police immediately.

• Nigerian national indicted for conspiracy, wire fraud and aggravated identity theft for fraud on Employment Security benefits. A Nigerian citizen arrested May 14, 2021 at JFK Airport in New York, is now indicted for conspiracy, wire fraud and aggravated identity theft for his scheme to steal over $350,000 in unemployment benefits from the Washington State Employment Security Department.

• Don’t let your Apple turn into a lemon! Apply Apple’s security updates to keep your system golden.

• CISA: Patch Issued for Critical Pulse Secure VPN Flaw Under Active Attack. Ivanti released a patch for a critical zero-day authentication bypass flaw found in its Pulse Secure VPN, which CISA previously warned was under active attack.

• Dell security flaw from 2009 affects 'hundreds of millions' of PCs: How to fix it.

• Qualcomm vulnerability impacts nearly 40% of all mobile phones. A high severity security vulnerability found in Qualcomm's Mobile Station Modem (MSM) chips (including the latest 5G-capable versions) could enable attackers to access mobile phone users' text messages, call history, and listen in on their conversations.

• US Department of Defense expands vulnerability disclosure program. The US Department of Defense (DoD) has expanded its security vulnerability disclosure program (VDP) beyond its public-facing websites and web applications to encompass all publicly accessible information systems. That brings into scope all public-facing DoD networks, frequency-based communication platforms, IoT devices, and industrial control systems, among other technologies, the DoD announced yesterday (May 4).

• Months before the coup, Myanmar army ordered intercept spyware. The technology gives the army the power to listen in on calls, view text messages & emails and track user location.

• Facing a public backlash, an Israeli spyware firm is now scoring its government customers. In 2018, human rights group Amnesty International accused NSO in court of helping the Saudi government spy on a close associate of Washington Post columnist Jamal Khashoggi, who was murdered at the Saudi Consulate in Istanbul. Then Facebook sued NSO just a day after Sunray started work, alleging the company had helped hack over 1,400 of its customers.

• Keeping Spyware Out Of U.S.-Made Drones Is Harder Than You Think. This has led to a U.S. government initiative to build and encourage an American small drone industry to create a supply of trustworthy drones. Perhaps the most significant restriction is Section 841 of the National Defense Authorization Act, which prohibits the Department of Defense from acquiring anything with a printed circuit board from China (or Russia, Iran or North Korea).

• Your car is spying on you, and a CBP contract shows the risks. A “vehicle forensics kit” can reveal where you’ve driven, what doors you opened and who your friends are.

• We Checked 250 iPhone Apps—This Is How They’re Tracking You

• Signal’s hack of surveillance tech used by police could undermine Australian criminal cases

• The Feds Can Access the Private Data On Your Phone Through Your Car

• The Verge: A new report from the Intercept has shed light on a worrying new technology that lets law enforcement agencies extract personal data from people’s cars. It reports that U.S. Customs and Border Protection recently made an order worth hundreds of thousands of dollars from Swedish data extraction firm MSAB that included iVe "vehicle forensics kits" made by US firm Berla.

• NC lawmakers want to give police even more power to track your phone without a warrant.

• WhatsApp Says It Filed Suit in India to Prevent Tracing of Encrypted Messages. Facebook unit says new rules in India would require ‘mass surveillance’ of user data.

• Cybercrime to Top $6 Trillion in 2021, According to Cybersecurity Ventures. A report produced by Cybersecurity Ventures sees cybercrimes skyrocketing in 2021.

• Honeywell Agrees to Pay Millions for Sending Controlled Arms Information Abroad

• Coast Guard to stand up first cyber ‘red team’ as it creates Cyber Operational Assessments Branch. The Coast Guard is transforming its cyber “blue team” enterprise into a more comprehensive Cyber Operational Assessments Branch, and is standing up its first red team as part of this restructuring. The red team, which the Coast Guard will stand up later this summer, will serve as a cyber adversary emulation and penetration testing organization for its cybersecurity operations.

• Cybercrime thrives during pandemic: Verizon 2021 Data Breach Investigations Report. Increase in phishing and ransomware attacks - along with continued high numbers of Web Application Attacks - underscore a year of unprecedented security challenges.

• In New Zealand: Patients caught in the middle of cyber warfare. DHB’s IT system was taken down by hackers, sending hospitals all over Waikato back to a pre-digital dark age of pens, paper and whiteboards. Sensitive patient data and staff information appears to have been stolen, according to emails sent to media companies by those claiming responsibility for the breach. This means everything from medical records to contract and pay details.

• A Complex Approach Is Needed to Win Cyber Wars.

• US to use Azerbaijan's experience in creation of cyber warfare support battalion. The US will use the experience that Azerbaijan used during the Second Karabakh War in the creation of the first battalion for the support of cyberwarfare, Chief of the Cyber Command of the US Armed Forces, Lieutenant General Stephen Fogarty said.

• Pensacola State College dedicates new cybersecurity center, including cyber warfare range. The new facility, named the Donald McMahon III Center for Cybersecurity after the PSC Foundation Board of Governors emeritus, gives students a dedicated space for the college's new cyber warfare range.

• From Australia: Blockchain and its importance in the current cyber war. A digital infrastructure platform could be the next tool in cyber warfare as trust declines and tensions increase between global powers.

• Yet another successful cybersecurity attack on part of the US critical infrastructure. As is becoming increasingly common, this one was a successful ransomware attack. No additional details about how it was executed have yet been provided. An excerpt: "The main pipeline carrying gasoline and diesel fuel to the US East Coast was shut down by its operator after being hit with a cyberattack. Colonial Pipeline Co.—which operates the 5,500-mile Colonial Pipeline system taking fuel from the refineries of the Gulf Coast up to the New York metro area—said it learned Friday that it was the victim of the attack and 'took certain systems offline to contain the threat, which has temporarily halted all pipeline operations.'"

• Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom. This is not a matter of whether to pay the ransom or not. It is a matter of having a data, cyber, network security program implemented that 1) identifies ransomware attack attempts, including frequent training and awareness to employees, contractors and supply chain entities, 2) having sufficient up-to-date backups to make the need for the ransomed data moot, and 3) continuously monitoring networks for threats and suspicious activities and reacting quickly and appropriately.

• US defense contractor BlueForce apparently hit by ransomware. The Conti ransomware operators demanded nearly $1 million in bitcoin during ransomware negotiations and threatened to publish the defense contractor's data on its leak site.

• Ransomware's Dangerous New Trick Is Double-Encrypting Your Data. Even when you pay to get a decryption key, you may find your files are still locked up by another strain of malware.

• Cybereason vs. DarkSide Ransomware. “DarkSide is a relatively new ransomware strain that made its first appearance in August 2020. DarkSide follows the RaaS (ransomware-as-a-service) model, and, according to Hack Forums, the DarkSide team recently made an announcement that DarkSide 2.0 has been released. According to the group, it is equipped with the fastest encryption speed on the market, and even includes Windows and Linux versions.” They also have an affiliates program. They’ve basically created a very profitable, and still illegal, business for spreading their ransomware and making other cybercriminals rich off of their cybercrimes.

• Cheating at School Is Easier Than Ever—and It’s Rampant. With many students at home, and with a mass of websites offering services to do their homework, schools have seen a surge in academic dishonesty

• FBI: Conti ransomware attacked 16 US healthcare, first responder orgs.

• Bosses putting a ‘digital leash’ on remote workers could be crossing a privacy line. Some companies “have turned to technology to help [mange remote workers], but they may be walking a dangerous path using tools like artificial intelligence and algorithms to track employees and their work throughout the day, or even facial recognition that can ensure that someone is at their desk.” I cover these issues in detail in my upcoming book from my publisher, CRC Press, “Security & Privacy when Working from Home and Travelling”

• One Year Later: How the Evolving Work-from-Home Climate Prompts Reminders for Technology Best Practices. A recent study suggests that among employed adults who say that most of the responsibilities of their job can be done from home, 54% would want to work from home, all or most of the time, after the coronavirus outbreak ends. While this ever-evolving work-from-home climate has challenged employers to embrace technology like never before, you should take note that the conveniences of technology do not come without legal considerations.

• From the UK: Work From Home: Risks and Regulations for the Age of Hybrid Work. According to YouGov, 37% of people surveyed say their business has adopted hybrid working systems. And according to PwC , just 20% of financial services employees want to work in the office three or more days a week once COVID 19 is no longer a problem. Deutsche Bank, HSBC, the Bank of Ireland and Google are all either adopting or considering work from home models.

• Google expects 20% of employees to work from home. Employees will be offered opportunities to permanently work remotely or to transfer to other offices, based on their role and team needs, Google said Wednesday.

• RSA Conference keynoter Theresa Payton outlines how misinformation works and what organizations can do to help combat it.

• Facebook plans to bury users who regularly share misinformation. Facebook announced a new tactic: not only will posts with misinformation in them be made less visible, but so will the individual users who share them.

• Amazon’s algorithms promote extremist misinformation, report says. The report, by the Institute for Strategic Dialogue, adds to a growing body of research on how digital platforms — including Facebook, YouTube and Amazon — can inadvertently inflame conspiracy theories.

• Scams and Misinformation Challenges. Cybercrime has increased at an unprecedented rate as misinformation and disinformation evolve in the form of chain messages, deepfakes, and phishing via voice, text and email. All of these tactics can cause financial and reputational damage. It should come as no surprise that tech companies are pivoting their focus from surviving the pandemic to providing solutions to address these growing cybersecurity challenges.

• Mozilla reacts to the European Commission’s guidance on the revision of the EU Code of Practice on Disinformation.

• Twitter to call subscription service Twitter Blue, charge $3 a month, report says. Some are concerned about privacy, with having yet another repository of tweets that can be used for other purposes based on what have been marked as your “favorites.”

• Super-Secure Processor Thwarts Hackers by Turning a Computer Into a Puzzle. Interesting idea! But, will it work?

• The hidden work created by artificial intelligence programs. As AI programs become more prevalent, researchers say that companies need to prioritize behind-the-scenes workers and those affected by the programs.

• Tesla to Store China Data Locally in New Data Center. U.S. electric-car maker has faced scrutiny in China of its handling of potentially sensitive vehicle data.

• Google Strikes Deal With Hospital Chain to Develop Healthcare Algorithms. Tech giant expands health-sector presence in the latest deal to develop tools to improve medical care, as privacy concerns arise.